# -----------------------------------------------------------------------------
# CFM WebDetector - Challenge Exclude Rules
#
# Purpose:
#   Suppress *challenge enforcement* for known-good / verified crawlers,
#   so they don't get stuck in challenge loops by accident.
#
# Format:
#   key=value; key=value; ...   (one rule per line)
#
# Keys:
#   ua=PATTERN      User-Agent glob (case-insensitive), supports * and ?
#   asn=AS12345     ASN glob/prefix match (e.g. asn=as15169, asn=as*)
#   ptr=PATTERN     Reverse DNS (PTR) glob (e.g. *.googlebot.com)
#   host=PATTERN    Vhost glob (e.g. api.example.com, *.example.com)
#   mode=all|any    Matching mode:
#                    - all (default): all specified fields must match (safer)
#                    - any: any one field match is enough (riskier)
#   verify_fcrdns=1 Forward-confirm rDNS (PTR must resolve back to same IP)
#                   Recommended for "verified crawlers" like Google/Bing.
#   action=skip|skip_vhost_only
#                    - skip: suppress ALL challenges for this request/IP/rule
#                    - skip_vhost_only: suppress only vhost-wide challenge rules
#                      (CHALLENGE_VHOST, CHALLENGE_SUSPICIOUS_VHOST_SCORE)
#
# Notes / Safety:
#   - UA alone is spoofable. For major crawlers use ptr + verify_fcrdns=1.
#   - ASN alone is too broad (cloud abuse). Prefer "asn + ua" or ptr verification.
#   - Keep these rules strict. "any" mode is rarely recommended.
# -----------------------------------------------------------------------------

# 1) Googlebot
#    Requires PTR suffix + forward-confirmed rDNS.
#    This blocks fake "Googlebot" UAs from random IPs.
ua=*; ptr=*.googlebot.com; verify_fcrdns=1; action=skip
ua=*; ptr=*.google.com;    verify_fcrdns=1; action=skip

# 2) Bingbot
#    Same verification idea as Googlebot.
ua=*; ptr=*.search.msn.com; verify_fcrdns=1; action=skip

# 3) Meta/Facebook crawler (SEMI-STRICT example):
#    ASN + UA combo. Safer than UA-only, but not as strong as FCrDNS.
#    Adjust UA pattern to what you actually see in logs (meta*, facebook*, etc).
asn=as32934; ua=*; action=skip

# 4) Only suppress vhost-wide panic/auto rules for a trusted ASN:
#    Useful for partners/monitors where you still want per-IP/path rules to work,
#    but you never want them to trigger (or be affected by) "challenge everyone on vhost".
#    Example (replace ASxxxx with the partner ASN you trust):
#asn=asXXXX; action=skip_vhost_only
# skroutz
asn=as202042; ua=*; action=skip
# apple
asn=as714; ua=*; action=skip

